A Silent Threat From Inside Out

National Post - February 21, 2012

Cyberspying on the rise

Since the Cold War, espionage has been a constant thorn in the sides of government and industry alike. But the cyberworld has transformed the art and science of espionage into an entirely new force to be reckoned with.

“Espionage has always been about stealing private or confidential information to use for a strategic advantage,” says Michel Juneau-Katsuya, cybercrime specialist and CEO of The Northgate Group in Ottawa.

“But cyber has delivered new tools to do it. Now you can get access using a computer; before you used human beings to do the breaking and entering.”

Cybercrime and a business’s ability to protect its assets, has become an increasingly prevalent concern in recent months, he notes. “More and more financial institutions and bankers are concerned about security of a company before they invest. They’re asking for guarantees that their intellectual property investments are safe.”

The cybercrime community itself has become a veritable mixed bag of players, including individuals, activist groups, governments and major corporations who are turning to competitive intelligence and malicious attacks as a means to disrupt economies, gain a strategic advantage, make a political statement or bring corporate activity to a standstill.

And there’s more to come, contends Chris Mathers, an international crime and risk consultant based in Toronto.

“Crime has evolved because we’re still in the larval stages of IT. Compared to human history, the Internet has only been around a short time.”

At first it was basic hacking, he says. Then it morphed into kids and IT geeks wanting to see what they could do. After that, crooks could get in to steal credit card information and IDs.

“Credit card fraud is purse snatching compared to what these people are trying to do now,” Mr. Mathers says.

“There are large-scale operations with a view to disrupting commerce to their advantage. The big IT crime efforts are miles beyond somebody grabbing a credit card number. These can actually affect the GDP and economic performance of a nation.”

The cost to the economy is indeed staggering, says Mr. Juneau-Katsuya. And Canada is faring worse than many others.

“According to certain estimates, in Canada alone, $50-to $100-billion a year is lost [to cybercrime efforts]. The FBI reports that the U.S. loses $250-billion a year. So they’re losing just over twice as much as us, but are 10 times bigger.”

The reason, he says, is the wealth of intellectual assets in Canada. “We are a knowledge-based society. There’s a lot of phenomenal research going on. The population is also extremely naïve. While they understand what the threat is to, they have a poor understanding of where the threats are from.”

While a vast majority of the largescale efforts are from the outside, a lot of cybercrime-related activities come from within a company, Mr. Juneau-Katsuya adds.

“Organizations don’t build walls between databases and restrict access to information as they should. If the protocols aren’t in place, it’s a free for all.”

In fact he estimates that 90% of “spy cases” are conducted by somebody with legitimate access. “In other words, the wolf is in the barn. You can build a bunker, but the threat is already inside.”

The biggest thing organizations can do is to look at their business culture first and build awareness where needed, he advises, adding that most people

“A vast majority of people want to do their jobs honestly, but unknowlingly release information.

“The biggest need right now is teaching ‘regular people’ the business dangers of this,” Mr. Mathers says. “It’s not so much about what they can’t do, but what they can do safely.”

The social media component is only adding fuel to the flames, Mr. Juneau-Katsuya notes. “Social networks have created big, big issues. Something can be filmed or captured and in less than 15 minutes the whole world can be looking at it.”

Pamela Murphy, an assistant professor at Queen’s University School of Business in Ottawa, studies the psychology of fraud within organizations.

She speculates that cybercrime can make it easier for someone to rationalize their behaviour. “It’s easier to do from a psychological point of view because you rarely see the victim.”

She contends that organizational culture is a big part of the whole exercise. “Increase awareness, listen to people and get clues from the way they’re behaving.”

Ultimately, says Mr. Juneau-Katsuya, there are two elements you need to protect: your information, and the people that handle it. “Protection often has much more to do with business culture than physical security.”

Above all else, be wise about investing in protection from cybercrime, he advises.

“Generally corporations still perceive security as an expense that doesn’t contribute to profitability. It should be seen as a strategic investment that contributes to the wellbeing of the company. But there is a multitude of things that need to be understood first.”